Annotation of wikisrc/users/wiz/mutt-smime.mdwn, revision 1.3

1.1       wiz         1: # Setting up mutt with S/MIME support using gpgme
                      2: 
                      3: When trying to set mutt up for use with S/MIME you will find guides
                      4: like [[this one|http://equiraptor.com/smime_mutt_how-to.html]] or
                      5: [[this other one|https://kb.wisc.edu/middleware/page.php?id=4091]]
                      6: which tell you how to enable the openssl support and how to configure
                      7: it.
                      8: 
                      9: This is what I did at first, but when my key expired and I created a
                     10: new one, I found out that this setup only supports one secret key at a
                     11: time; i.e., when I switched to the new key, I could not read my old
                     12: emails any longer.
                     13: 
                     14: By lucky accident, I found the second supported method using
                     15: [[gpgme|https://www.gnupg.org/related_software/swlist.html#gpgme]]
                     16: that is much easier to set up and use, and does support multiple
                     17: secret keys, but lacks documentation.
                     18: 
                     19: So here's the documentation for this setup.
                     20: 
                     21: # mutt
                     22: 
                     23: ## mutt compilation
                     24: 
                     25: When compiling mutt, you need to have gpgme installed and use mutt
                     26: configure's --enable-gpgme flag.
                     27: You also need gnupg version 2.x installed.
                     28: 
                     29: In pkgsrc, set
                     30: 
1.2       wiz        31:        PKG_OPTIONS.mutt+=       gpgme
1.1       wiz        32: 
                     33: in your /etc/mk.conf.
                     34: 
                     35: ## mutt setup
                     36: 
                     37: Add
                     38: 
                     39:        set crypt_use_gpgme=yes
                     40: 
                     41: to your .muttrc. That's it.
                     42: 
                     43: (If your .muttrc "source"s smime.rc or gpg.rc, you can comment out
                     44: these lines, you don't need them any longer.)
                     45: 
                     46: # gpgme
                     47: 
                     48: ## gpg-agent
                     49: 
                     50: You can use generic setup instructions for gnupg 2.x instead of this
1.2       wiz        51: section; I include them for completeness. They also apply for OpenPGP, so
1.1       wiz        52: if you have that set up for gnupg 2.x already, you can skip it.
                     53: 
                     54: You need to have a gpg-agent running. The suggest setup (by gnugp) is
                     55: running it from your X startup file, or from your login shell startup
                     56: script.
                     57: 
                     58: Short documentation for the latter and zsh:
                     59: 
                     60: ### gnupg 2.0
                     61: 
                     62: Add to .zlogin:
                     63: 
                     64:        gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info"
                     65: 
                     66: Add to .zshrc:
                     67: 
                     68:        export GPG_TTY=$(tty)
                     69:        # only needed for 2.0, not for 2.1
                     70:        if [ -f "${HOME}/.gpg-agent-info" ]; then
                     71:        . "${HOME}/.gpg-agent-info"
                     72:        export GPG_AGENT_INFO
                     73:        export SSH_AUTH_SOCK
                     74:        fi
                     75: 
                     76: ### gnupg 2.1
                     77: 
                     78: Much easier, just add to .zshrc:
                     79: 
                     80:        export GPG_TTY=$(tty)
                     81: 
                     82: ### pinentry
                     83: 
                     84: Choose a pinentry program in your .gnupg/gpg-agent.conf, for example:
                     85: 
                     86:        pinentry-program /usr/pkg/bin/pinentry-curses
                     87: 
                     88: ## gpgsm
                     89: 
                     90: Now for the actual S/MIME part of the setup.
                     91: 
                     92: ### Own key
                     93: 
                     94: Get a certificate, e.g. from CAcert or Thawte. Export the certificate
                     95: from your browser (or the OS X keychain) with a password, you'll get a
                     96: .p12 file.
                     97: 
                     98: Then just import the file:
                     99: 
                    100:        gpgsm --import keyfile.p12
                    101: 
                    102: 
                    103: ### Other keys
                    104: 
                    105: The same as your own key, but the keyfile doesn't need to be encrypted.
                    106: 
                    107:        gpgsm --import keyfile.p12
                    108: 
                    109: 
                    110: ### Intermediate Certificates
                    111: 
                    112: You might be missing certificates. Then you will see errors like this:
                    113: 
                    114:        gpgsm: issuer certificate {ADBD987A34B426F7FAC42654EF03BDE024CB541A} not found using authorityKeyIdentifier
                    115: 
                    116: Google the hash and you'll probably find the corresponding
                    117: certificate, at least that's what worked for me.
                    118: 
                    119: ### Trust
                    120: 
                    121: You'll have to tell gpgsm which certificates you trust.
                    122: 
                    123:        gpgsm -k --with-validation
                    124: 
1.2       wiz       125: When you don't do that, you'll see
1.1       wiz       126: 
                    127:        Problem signature
                    128: 
                    129: in mutt, or it will hang decoding a message until you interrupt it.
                    130: 
                    131: ### Multiple Secret Keys
                    132: 
                    133: In case you have multiple secret keys (e.g. some expired ones and a
                    134: current one), you can choose the default one by adding
                    135: 
                    136:        local-user XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
                    137: 
                    138: to your .gnupg/gpgsm.conf config file, where
                    139: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX is the
                    140: fingerprint of your key. If you don't know it, you can find it using
                    141: 
1.3     ! wiz       142:        gpgsm -K your@email.address
1.1       wiz       143: 
                    144: or just
                    145: 
1.3     ! wiz       146:        gpgsm -K
1.1       wiz       147: 
                    148: If you don't set this, gpgsm will use the first secret key in your
                    149: keychain.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb